Win32 EXE format: offset size/type description ============================================== *** DOS part of the EXE *** 0 2/WORD EXE signature 'MZ' (5A4D) 2 2/WORD Length of last page 4 2/WORD Length of program code in 512-byte blocks (even though a page is 4096 bytes, it's documented as "512-byte pages".) 6 2/WORD # of elements in relocation table 8 2/WORD Header size (in paragraphs) The "header" does not include the relocation table. 2 = MS-DOS executable 4 = Win32 executable 10 2/WORD Minumium paragraphs needed to run 12 2/WORD Maximum paragraphs needed to run 14 2/WORD Segment correction for stack segment (SS) 16 2/WORD Value of SP (stack pointer) 18 2/WORD Checksum word (negative sum of all words in the entire file) 20 2/WORD Value of IP (instruction pointer) 22 2/WORD Segment correction for code segment (CS) 24 2/WORD Offset of relocation table (call it TablOff) 26 2/WORD Overlay number (0 = main module) *** Win32 part *** 28 32/WORD[16] "Reserved" data 4 4/DWORD Offset of "new" header (call it NewHdrOff) NewHdrOff *** DOS part - Relocation Table *** TablOff 2/WORD Offset of word to relocate TablOff+2 2/WORD Segment of word to relocate *** Win32 part - "Image File Header" *** NewHdrOff 4/DWORD Signature (00004550h) NewHdrOff+4 2/WORD Machine identifier Intel 386 = 332 (14Ch) Intel 860 = 333 (14Dh) NewHdrOff+6 2/WORD Number of sections NewHdrOff+8 4/DWORD Time date stamp NewHdrOff+12 4/DWORD Symbols Pointer (??) NewHdrOff+16 4/DWORD # of symbols (??) NewHdrOff+20 2/WORD Size of optional image header Win32 = E0h NewHdrOff+22 2/WORD Characteristics bit 0 - "Relocation info stripped from file" bit 1 - "File is executable (i.e. no unresolved externel references)." bit 2 - "Line numbers stripped from file" bit 3 - "Local symbols stripped from file" bit 6 - "16-bit WORD machine" bit 7 - "Low bytes of machine word are reversed" bit 8 - "32-bit WORD machine" bit 9 - "Debug info stripped from file in .DBG file" bit 12 - "System File" bit 13 - "File is a DLL" bit 15 - "High bytes of machine word are reversed" *** Win32 part - "Optional Image File Header" *** NewHdrOff+24 2/WORD Magic (??) Win32 = 010B NewHdrOff+26 1/BYTE Major linker version (3 = 3.??) NewHdrOff+27 1/BYTE Minor linker version (10 = ?.10) NewHdrOff+28 4/DWORD Size of code NewHdrOff+32 4/DWORD Size of initialized data NewHdrOff+36 4/DWORD Size of unitialized data NewHdrOff+40 4/DWORD Address of entry point NewHdrOff+44 4/DWORD Code base address NewHdrOff+48 4/DWORD Data base address NewHdrOff+52 4/DWORD Image base NewHdrOff+56 4/DWORD Section alignment (why?) NewHdrOff+60 4/DWORD File alignment (why?) NewHdrOff+64 2/WORD Major OS version NewHdrOff+65 2/WORD Minor OS version NewHdrOff+66 2/WORD Major image version (why?) NewHdrOff+67 2/WORD Minor image version (why?) NewHdrOff+68 2/WORD Major subsystem version NewHdrOff+69 2/WORD Minor subsystem version NewHdrOff+70 4/DWORD "Reserved1" For some reason, QuickView shows 1000000h even though there's nothing there in the file. Hiding something, Microsoft? NewHdrOff+74 4/DWORD Size of image NewHdrOff+78 4/DWORD Size of headers NewHdrOff+82 4/DWORD Checksum NewHdrOff+86 1/BYTE Subsystem 00h = "Unknown subsystem" 01h = "Image doesn't require a subsystem" 02h = "Image runs in the Windows GUI subsystem" 03h = "Image runs in the Windows character subsystem" (i.e., a console) NewHdrOff+87 2/WORD DLL characteristics NewHdrOff+89 4/DWORD Size of stack reserve NewHdrOff+93 4/DWORD Size of stack commit NewHdrOff+97 4/DWORD Size of heap reserve NewHdrOff+101 4/DWORD Loader flags NewHdrOff+105 4/DWORD Size of data directory NewHdrOff+109 2/WORD Import directory virtual address NewHdrOff+111 2/WORD Import directory size NewHdrOff+113 2/WORD Base relocation table virtual address NewHdrOff+115 2/WORD Base relocation table size NewHdrOff+117 2/WORD Debug directory virtual address NewHdrOff+119 2/WORD Debug directory size